How to parse a string with special format into obj...

jvdev · ‎04-14-2022

Hi there,

I have trying to use spath to try to extract fields inside a string. Currently, the string has this format..

stringField=["fieldOne": "fieldValue", "fieldTwo": "fieldValue", "fieldThree": "fieldValue"]

So, my string inside has some kinda of array with key value pairs. I would to be able to extract those fields and values in a way that I can use their information for my queries.

I would like to be able to get the value of fieldOne by just calling the fieldOne variable/object to get it's value to perform my desire task/stats and so on..

I was trying something like... but no luck!

search... | spath input=stringField

search... | eval newVariable=spath(_raw,'stringField')

search... | spath

search... | spath path=stringField output=newField

The first option of just using input with the spath command only gave me back the first field inside my string. And it was listed as {} field.

I would really appreciate the help!

ITWhisperer · ‎04-15-2022

| eval stringField="{".trim(stringField,"[]")."}"
| spath input=stringField

How to parse a string with special format into objects or variables?

field extraction

fields

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?